| Technical Rating: |  |
| | | |
| |
|
| Published Date : 23 Mar 2018
Last Updated : 23 Jul 2024
Content Ref: TEC6154274
|
|
Some or all of your users fail to display in the main Users container in the RM Unify AD Sync Config Tool. In addition to this, the AD Sync log files contains the following error:
"ERROR,"ProcessADUser","Failed to process changes for AD User <ADUser> (<GUID>) - System.Runtime.InteropServices.COMException (0x8007200A): The specified directory service attribute or value does not exist."
where <ADUser> is a missing user and <GUID> is a unique GUID. |
The identitysyncservice user needs read permission on containers in Active Directory in order to search for users, e.g. CN=Users. If this permission is missing then the error will display.
By default, the identitysyncservice user is granted group membership of account operators and domain users during installation of RM Unify AD Sync. This group membership is sufficient to grant the user read permission on AD containers, unless customised permissions have been set on one or more containers. |
To confirm insufficient permissions are causing the issue
|
- On the AD Sync server, open the AD Sync Config Tool.
- Click Services, Stop.
- On a domain controller, signed in as an administrator, open 'Active Directory Users and Computers' and browse to the Users OU.
- Right-click the identitysyncservice user account and click Properties, 'Member Of tab', and then Add.
- Type administrators and click OK, OK.
- On the AD Sync server, open the AD Sync Config Tool.
- Click Services, Start.
- Wait 20 minutes and check if the AD Sync log file contains the same error. If the error no longer appears in the log file and missing users have started to appear in the AD Sync Config Tool then there is an issue with permissions.
- Repeat steps 1 to 7, remove the identitysyncservice user from the administrator's group and continue with troubleshooting.
|
To check permissions on an AD container
|
- Log on to a domain controller as an administrator and open 'Active Directory Users and Computers'.
- Click View, Advanced Features and navigate down to the Users container.
- Right-click and select Properties.
- Click Security, Advanced.
- Click the Effective Access tab and then click 'Select a user'.
- Type identitysyncservice and click OK.
- Click 'View effective access'.
- Confirm the user has been granted (i.e. there is a green tick) next to the following permissions:
- 'List contents'
- 'Read all properties'
- 'Read permissions'
- Repeat steps 2 to 7 for all other containers.
|
What to do if you have corrected permissions
|
If you followed the above and found you needed to correct some permissions then complete the following:
- On the AD Sync server, open the AD Sync Config Tool.
- Click Service, Stop.
- Click Server, Start.
- Wait 20 minutes and check if the missing users are now visible in the Users container in the AD Sync Config Tool.
|
| If you still get the same error after completing a change of permissions then please raise a support call with the RM Unify Cloud Support team so we can help you further. |
|
|
If this article has not helped provide a solution then it is also possible to
log a call... |
| |
Document Keywords: actions, gafe, gapps, Google Apps, Google Apps for Education, TEC6154274, unify, rm unify |
|
|
|
Symptoms
